From: Dylan William Hardison <dylan@hardison.net>
Date: Fri, 13 May 2016 17:34:19 +0000 (-0400)
Subject: Bug 1250114 - XSS possible in extensions calling global/tabs.html.tmpl if tab.link... 
X-Git-Tag: bugzilla-4.4.12~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=01ad7ac3e1da1a3d7d7acc470a38d2dd57b4f6a4;p=thirdparty%2Fbugzilla.git

Bug 1250114 - XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
---

diff --git a/template/en/default/global/tabs.html.tmpl b/template/en/default/global/tabs.html.tmpl
index 454066889d..dc9ca4c0a6 100644
--- a/template/en/default/global/tabs.html.tmpl
+++ b/template/en/default/global/tabs.html.tmpl
@@ -25,7 +25,7 @@
             [% tab.label FILTER html %]</td>
         [% ELSE %]
           <td id="tab_[% tab.name FILTER html %]" class="clickable_area"
-              onClick="document.location='[% tab.link FILTER html %]'">
+              onClick="document.location='[% tab.link FILTER js FILTER html %]'">
             <a href="[% tab.link FILTER html %]">[% tab.label FILTER html %]</a>
           </td>
         [% END %]